App Guardian: An App Level Protection Against RIG Attacks

Stealing of sensitive information from apps is always considered to be one of the most critical threats to Android security. Recent studies show that this can happen even to the apps without explicit implementation flaws, through exploiting some design weaknesses of the operating system, e.g., shared communication channels such as Bluetooth, and side channels such as memory and network-data usages. In all these attacks, a malicious app needs to run side-by-side with the target app (the victim) to collect its runtime information. Examples include recording phone conversations from the phone app, gathering WebMD’s data usages to infer the disease condition the user looks at, etc. This runtime-information-gathering (RIG) threat is realistic and serious, as demonstrated by prior research and our new findings, which reveal that the malware monitoring popular Android-based home security systems can figure out when the house is empty and the user is not looking at surveillance cameras, and even turn off the alarm delivered to her phone.

To defend against this new category of attacks, we propose a novel technique that changes neither the operating system nor the target apps, and provides immediate protection as soon as an ordinary app (with only normal and dangerous permissions) is installed. This new approach, called App Guardian, thwarts a malicious app’s runtime monitoring attempt by pausing all suspicious background processes when the target app (called principal) is running in the foreground, and resuming them after the app stops and its runtime environment is cleaned up. Our technique leverages a unique feature of Android, on which third-party apps running in the background are often considered to be disposable and can be stopped anytime with only a minor performance and utility implication. We further limit such an impact by only focusing on a small set of suspicious background apps, which are identified by their behaviors inferred from their side channels (e.g., thread names, CPU scheduling and kernel time). App Guardian is also carefully designed to choose the right moments to start and end the protection procedure, and effectively protect itself against malicious apps. Our experimental studies show that this new technique defeated all known RIG attacks, with small impacts on the utility of legitimate apps and the performance of the OS. Most importantly, the idea underlying our approach, including app-level protection, side-channel based defense and lightweight response, not only significantly raises the bar for the RIG attacks and the research on this subject but can also inspire the follow-up effort on new detection systems practically deployable in the fragmented Android ecosystem.

Media Coverage

Demos

Attacking Belkin NetCam

Belkin NetCam is a wireless IP camera designed for home surveillance and motion detection. It can detect burglars or other persons presence using motion detection and report the house owner remotely.

We found that the side-channel information of Belkin NetCam app can be used by an adversary for malicious purposes such as theft or robbery. Below is a video that demonstrates three attacks against Belkin NetCam Wi-Fi camera with Night Vision: motion detection on, video watching, and audio blocking.

Audio Recording

The following demo shows that a malicious app with RECORD_AUDIO permission (audio recording apps use this permission for good reasons, but can be abused by ill-intentioned app developers) running in the background can record any phone call conversation. Such runtime information gathering (RIG) attacks have become one of the most serious threats to Android users’ privacy. In the following video, we also demonstrate how our App Guardian protects the user from Audio Recording attack.

Protecting Belkin NetCam

This demo shows how App Guardian protects Belkin NetCam Wi-Fi Camera with night vision from the “motion-detection-on” inference attack, as demonstrated in Demo. Note that in the demo, Guardian is set to only automatically restore the apps with an OOM_ADJ value no more than 5, since those above 5 (almost all of them with a value of 9) are considered by Android to be disposable and therefore do not need to be recovered. In the case that the user indeed wants to recover them, our approach provides a list, through which she can simply click to choose the app she wants to restore. Also note that Guardian can be configured to restore all terminated apps automatically.